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Abstract. We design a variation of the Karp-Miller algorithm to compute, in a forward 
manner, a finite representation of the cover (i.e., the downward closure of the reachability 
set) of a vector addition system with one zero-test. This algorithm yields decision proce- 
dures for several problems for these systems, open until now, such as place-boundedness or 
LTL model-checking. The proof techniques to handle the zero-test are based on two new 
notions of cover: the refined and the filtered cover. The refined cover is a hybrid between 
the reachability set and the classical cover. It inherits properties of the reachability set: 
equality of two refined covers is undecidable, even for usual Vector Addition Systems (with 
no zero-test), but the refined cover of a Vector Addition System is a recursive set. The 
second notion of cover, called the filtered cover, is the central tool of our algorithms. It 
inherits properties of the classical cover, and in particular, one can effectively compute a 
finite representation of this set, even for Vector Addition Systems with one zero-test. 



Context: verifying properties of Vector Addition Systems. Petri Nets, Vector Ad- 
dition Systems (VAS), and Vector Addition Systems with control States (VASS) are equiv- 
alent well-known classes of counter systems for which the reachability problem is decidable 
\i0\ [271 even if its complexity is still open. On the other hand, testing equality of the 
reachability sets of two such systems is undecidable [5J [22] - For this reason, one cannot com- 
pute a canonical finite representation of the reachability set that would make it possible to 
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test for equality of two reachability sets. However, there is such an effective finite represen- 
tation for the cover, a useful over-approximation of the reachability set which is connected 
to various verification problems. Therefore, one can decide not only the coverability problem 
(that is, membership to the cover), but also whether two VAS have the same cover. 

Vector Addition Systems are powerful models for the verification of networks of identical 
finite-state machines communicating by rendez-vous, with dynamic creation and destruction. 
Intuitively, a global configuration of such a system is abstracted by nonnegative counters, one 
for each possible location of the finite-state machine. A counter value denotes the number of 
machines in the corresponding location (see for instance |12|). Notice that dynamic creation 
makes the number of processes, and therefore the values of counters, possibly unbounded. 
For modeling client-server systems where clients are identical finite-state machines, and the 
server is another finite-state machine that can check that no process is in a critical section, 
the VAS model is no longer sufficient. Indeed, one must be able to check that a particular 
counter is equal to zero, namely the one counting processes in the critical section. This is a 
first practical motivation for adding to VAS the ability to test a counter for 0. 

Another reason to consider such a model is that it constitutes a first step towards the 
verification of VAS equipped with a stack, a model borrowing features both to pushdown 
automata and to VAS, and that abstracts recursive programs manipulating constrained 
counters. However, these systems are difficult to analyze. Abstracting away the actual stack 
alphabet transforms the stack into a counter that can be tested to zero. In this paper, we 
study verification problems for VAS with one zero test. 

If one adds to VAS the ability to test at least two counters for zero, one obtains a 
model equivalent to Minsky machines, for which all nontrivial properties (in the sense of 
Rice's theorem) of the language they recognize are undecidable, and many properties of 
their behavior, such as reachability of a control state or termination, are also undecidable. 
The study of VAS with a single zero-test is recent, and only few results are known for this 
model. Reinhardt [33j has shown that the reachability problem is decidable for VAS with 
one zero-test transition (as well as for hierarchical zero-tests), and an alternate, simpler 
proof of this result was recently given by the first author [TJ. Abdulla and Mayr have shown 
that the coverability problem is decidable in [2], by using both the backward procedure of 
Well Structured Transition Systems [1] (see [20J for a survey on Well Structured Transi- 
tion Systems), and the decidability of forward-reachability of ordinary VASS as an oracle. 
The boundedness problem (whether the reachability set is finite), the termination and the 
reversal-boundedness problem (whether the counters can alternate infinitely often between 
the increasing and the decreasing modes) are all decidable by using a forward procedure, 
computing a finite, yet incomplete, Karp-Miller tree [19J. 

LTL specifications. Linear time temporal logic is a widely used specification logic, which 
can express safety and liveness properties. Emerson |12| has designed an algorithm based on 
a covering graph to check LTL properties on Well Structured Transition Systems, but which 
may not terminate. Esparza |131 [14] has shown that LTL specifications on the actions of a 
VAS is decidable (contrary to CTL) and that LTL becomes undecidable if one adds state 
predicates. Habermehl [21] completed this proof by showing EXPSPACE-completeness of 
LTL satisfiability, by generalizing Rackoff's proof [32] . These results have been unified in [5]. 
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Our contribution. We give an algorithm for computing a finite representation of the cover 
for a VAS with one zero-test. This result makes it possible to decide the place-boundedness 
problem, which is in general undecidable for VAS extensions (such as VAS with resets 
or lossy counter machines, i.e., lossy VAS with zero-test transitions [9"1 I31j). 

Our proof first introduces a new notion of cover, called refined cover, where the usual 
ordering on vectors is replaced by one that insists on keeping equality on certain components. 
The refined cover is a set hybrid between the reachability set and the classical cover. We show 
that equality of two refined covers is undecidable, even for usual VAS (with no zero-test). 
However, one can show that such a refined cover is recursive for a VAS. We then introduce 
filtered covers, the main technical tool of our algorithm. A filtered cover is defined wrt. some 
specific values attached to some components. It consists in retaining only these vectors from 
the reachability set that agree with these values, before taking the usual downward closure. 
By transferring decidability results from refined covers to filtered covers, we are able to 
compute a finite representation of any filtered cover. We use this representation to propose 
an algorithm a la Karp and Miller, which builds a tree to compute the cover of a VAS with 
one zero-test. This allows us to obtain new decidability results for such systems, namely 
for the classical problems of place-boundedness. Finally, we show that the repeated control 
state reachability for vector addition systems with states and one zero-test is decidable, as 
well as LTL model-checking, by reducing these problems to the reachability problem. Note 
that, for VASS (with no zero-test), both problems can be reduced to the computation of 
the cover set. We do not know whether there is such a reduction between the corresponding 
problems for VASS with one zero test, and we leave it as an open problem. 

Thus, this work can be viewed as a contribution to understanding the limits of decid- 
ability, taking into account two parameters: the models (VAS and VAS with one zero-test) 
and the problems (reachability, cover, refined and filtered cover). 

The difficulty. The central problem is to compute the cover of a VAS with one zero-test. 
Let us explain why the usual Karp-Miller algorithm is not sufficient for that purpose. A 
crucial property of VAS used by this algorithm is monotony: actions fireable from a state 
are still fireable from any larger state. This property is clearly broken by the zero-test. 

A natural idea appearing in |19j is to adapt the classical Karp-Miller construction |25| . 
first building the Karp-Miller tree, but without firing the zero test. To continue the construc- 
tion after this first stage, we need to fire the zero test from the leaves of the Karp-Miller tree 
carrying a value on the component that is tested to 0. The problem is that accelerations 
performed while building the Karp-Miller tree may have produced, on this component in the 
label of such a leaf, an u value that represents arbitrarily large values, and that abstracts 
actual values. For this reason, one may not be able to determine if the zero test succeeds or 
not. We therefore want a more accurate information for the labeling of the leaves, for the 
component tested to 0. This is what the filtered cover actually captures. 

To be more precise, let us illustrate this difficulty with some short examples (assuming 
basic knowledge on VAS/VASS, see Sec. [3]/|TJ) . The Karp-Miller algorithm |25^ I15j computes 
a finite representation of the cover of a VASS, i.e., the downward closure of its reachability 
set (for the usual ordering over N d , where d is the dimension of the VASS). It builds a 
finite tree, whose nodes are labeled by elements of (NU{w}) d , where intuitively uj represents 
arbitrary large values. At the end of the algorithm, the cover is exactly the set of vectors of 
N rf belonging to the downward closure of the set of labels. The tree is obtained by unwinding 
the system, and by performing acceleration when possible, in order to guarantee termination: 
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if one finds two nodes on the same branch, such that the lowest one in the branch is labeled 
by a greater element, one replaces by ui all components that have grown (this captures the 
iteration of the firing sequence between the two nodes, and this is where monotony is used). 
We aim at generalizing this algorithm for VASS with one zero-test. 

As a first example, consider in dimension 1 the two VASS with one zero-test represented 
in Fig. [TJ They only differ by the transition from p to q. The transition from q to r is the 
+2 -2 +2 -2 

-0^0 
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I 

(<L0 



Fig. 1: Two VASS with one zero-test, and their Karp-Miller trees 

zero-test, fireable only when the counter is 0, and which does not affect the counter. Starting 
from the initial state (p, 0) and firing the loop from p to itself, the algorithm first computes 
as left child of the root a node labeled (p, 2), which then gets accelerated as (p, uS). Then, 
firing the transition from p to q yields the node (q,uj). Now, the zero-test is not fireable 
in the first case, while it is fireable in the second case. Therefore, the Karp-Miller trees we 
want to compute should differ (see Fig. [H which shows two such partial Karp-Miller trees). 
However, this cannot be detected with the information available on the branch from (p, 0) to 
(q,oj), because this information is identical for both systems: it consists of the nodes (p, 0), 
(p,oj), {q,u>). This example illustrates the fact that the uj component, in (q, uj), hides the 
actual reachable values, and therefore also hides the ability or inability to fire the zero-test. 

The next example (Fig. [2]) is in dimension 2. The zero-test occurs on the first component. 
It shows that even if one could determine when to fire the zero-test, one might be unable to 
compute the relevant node labeling using only information provided by classical Karp-Miller 
trees. Indeed, the Karp-Miller trees for both systems before firing the zero-test are identical. 



(+!,+!) (-1,-1) (+1,+1) (-1,0) 




Fig. 2: Two VASS with one zero-test 
However, firing the zero-test from (q, uj, uj) should produce a node labeled (r, 0, 0) in the first 
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case, and (r, 0, uj) in the second one. Here, u values in (q,oj,oj) hide relevant relationships 
between components (namely, that both components remain equal in the first system). 

The schema of our proof. 

(1) We start in Section [4] with usual VAS: we extend the decidability of the reachability 
problem for VAS, by proving that the set Lim Reach of limits of sequences of reachable 
states is also recursive. This set Lim Reach contains the reachability set, and captures 
more information, in general. Actually, it is more sophisticated than both the cover 
and the reachability set: it allows one to know whether an element in (N U {to}) d is a 
reachable state or if it is the limit of a sequence of reachable states. This information 
is not given by the reachability set, neither by the cover (using the pointwise ordering 
over (N U {uj}) d , and the natural ordering over N U {to}: n ^ co for all n). The proof 
carries on by using Higman's Lemma, using a nontrivial ordering. 

(2) In Section [5l we refine the definition of cover in which the first component of the vectors 
has now to be known exactly (and not only bounded by some maximal value). We prove 
that, for VAS, the fact that Lim Reach is recursive implies that one can compute the 
finite basis of this filtered cover. 

(3) In Section [6j we compute the finite basis of the cover of a VAS with one zero-test by 
using a variation of the Karp-Miller algorithm that uses the previously defined filtered 
covers in order to convey enough information to go through the zero-test. 

(4) We add control states to our VAS with one zero-test in Section [TJ and we show that one 
can detect reachable increasing loops on a given control state, by reducing this problem 
to the reachability problem for VASS with one zero-test, a decidable problem |33[ [TJ. 
This allows us to decide repeated control state reachability. We also note that this makes 
it possible to solve model checking against LTL or w-regular specifications. However, 
contrary to the situation without any zero-test, this is obtained by reducing this prob- 
lem to the reachability problem, and not to the computation of the cover. Whether a 
reduction to this simpler problem exists is left open. 

2. Preliminaries 

Words. We denote by A* the set of finite words over A. A word u € A* is written a\ ■ ■ ■ a n , 
with di £ A. The concatenation of two words u and v is simply written uv and the empty 
word is denoted e, with ea = ae = a. We let A + = A* \ {e} be the set of nonempty words. 

Orderings. An ordering =^ on a set X is a reflexive, transitive and antisymmetric binary 
relation over X. Given x,y £ X, we write x < y for x =^ y and x ^ y. For Y C X, let 

i^Y = {x € X | 3y G Y, x =4 y} 

denote the downward closure of Y with respect to =<!. The set Y is said downward closed 
if Y = .!_< Y. When working in N d or Nf, with the usual ordering ^ (see below), we shorten 
the corresponding downward closure operator J,<g as \.. Symmetrically, the upward closure 
of Y C X, denoted f^Y is defined by 

t M Y = {x e X | 3y e Y, y ^ x}. 

The set Y is said to be upward closed if f_<Y = Y. 
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Vectors. For d 1, we write any vector x G X d as x = (x(l), . . . , x(d)), with x(i) G X. 
Given an ordering =^ over X, the pointwise ordering over X d , still denoted is defined by 
x =4 V if ^(0 =^ y(i) f° r ah i- For X = N, we let be the vector whose components are 
all 0, and we say that x is nonnegative if x 0. For z G {1, . . . , d}, we let ej be the vector 
such that ej(i) = 1 and ei(k) = if k ^ i. 

Limits in N d . We introduce an element u g" N and the set = NU{o;}. A sequence (£„) n j»o 
(also written (i n ) n ) of elements of N w converges to £ G N w , if either it is ultimately constant 
with value I, or its subsequence of integer values is infinite, tends to infinity, and I = uj. We 
then say that I is the limit of (£ n ) n , noted lim n ^ n = £, or l n --° I. A sequence (x n ) n of 
vectors of Nf, has limit x G Nf,, noted lim n x n = a;, if lim n x n (i) = x(i) for all i G {1, . . . , <i}. 
For iW C Nf,, let Lim M be the set of limits of sequences of elements of M. Notice that 

M C Lim M, (2.1) 

and 

if M C N d , then M = N d n Lim M. (2.2) 
Topologically speaking, LimiW is the least limit closed set containing M. It is called the 
limit closure of M. The set M is said to be limit closed if M = Lim M. 

Downward closed sets of N d and Nf,. Given an ordered set, one may under suitable 
hypotheses construct a topological completion of this set, to recover a finite description of 
its downward closed subsets |16[ I17|. The completion of (N rf , ^) is (N^, ^) where we extend 
the ordering ^ over N by n ^ oj for all n G N^. 

A basis of a set D C N|J is a finite set B C Nf, such that 

Lim = (2.3) 

Such a set B is a finite representation of Lim D. One verifies that the maximal elements of 
any basis B of D still form a basis, which only depends on D, It is minimal for inclusion 
among all bases, and is called the minimal basis of D. Of course, not all sets admit a basis. 
By [161117]. any downward closed set D C N d admits a basis. This extends to any downward 
closed set D of Nf,. Indeed, one can check that 

UmD = L\m(D nN d ), (2.4) 

so that a basis B of the downward closed set D n N d satisfies Lim D = \,B. Note that 
conversely, if B C Nf, is finite, then is limit closed (this may fail if B is infinite). 
Finally, the limit and downward closure operators commute: 

|LimM = Lim|M (2.5) 

Upward closed sets. If ^ is a well ordering over X (see Sec. HI page [T0|) . then for any 
upward closed set Y C X, there exists a finite set 8CF such that Y = t^-^- Such a set 
is again called a basis (as for downward sets, but there will be no ambiguity). Observe that 
contrary to the case of downward closed sets, no topological completion is needed here. 

Example 2.1. Consider the set D = {(x, y) G N 2 | x s$ 3 V y ^ l} U {(4,2), (4,3), (5,2)}, 
which is downward closed. It is represented by the greyed grayed area in Fig. [3) Its limit 
closure is Lim D = D U ({0, 1, 2, 3} x {oj}) U {a;} x {0, 1}. A non-minimal basis of D is 
(Lim D \ D) U {(4, 3), (5, 2)}, shown with dots • and ® in Fig. [3l where elements involving lo 
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fall beyond the grid. Its minimal basis is {(3,ui), (4,3), (5,2), (w, 1)} (circled ® in Fig. [3|). 
The minimal basis of its (upward closed) complement in N rf is {(4,4), (5,3), (6,2)}. 

w • • • ® 



A 



Fig. 3: A set D (grayed), elements of a basis (• and ®) and of its minimal basis (®) 



3. Vector Addition Systems 

Definition 3.1. A Vector Addition System with one zero-test (shortly VAS Z ) of dimension d 
is a tuple V = (A,a z ,S,Xi n ), where A is a finite alphabet of actions, a z A is called the 
zero-test, 5 : A U {a z } — > % d is a mapping, and Xi n G N rf is the initial state. 

Other equivalent formalisms exist, for instance with states, or with multiple zero-tests 
transitions that test the same counter for zero. For now, we stick to the simplest version, 
and we shall introduce states in Section [71 

Intuitively, a VAS 2 works with d counters, one for each component, whose initial values 
are given by X{ n . Executing action cl G A U {o 2 } translates the counter values according 
to 8(a) G 1> d - The mapping 5 extends to a monoid morphism 5 : (AU {a z })* — > Z d , so 
that 5(e) = and 5(uv) = S(u) + 5(v) for u,v G (A U {a z })*. More formally, a VAS Z 
V = (A, a z , 5, Xi n ) °f dimension d induces a transition relation — > C N rf x A x N d with: 

x —> y if 5(a) = y — x for all a G A 

(3.1) 

x — y if 5(a z ) = y — x, and a;(l) = 0. 

We extend this relation to words by x x and x v > z if there exists y such that 
a; — y — z. We say that n G (A U {a 2 })* is fireable from a: if there exists y such that 
a; — y. When there may be ambiguity on the VAS Z , we will write — ^->-y instead of — — h 

Definition 3.2. A Vector Addition System (VAS) of dimension d is a tuple (A,5,Xi n ), 
where A is a finite alphabet, 5 : A — > Z d is a mapping and ajj n G N rf is the initial state. 

A VAS is a particular VAS 2 : choosing a z A, this VAS is formally equivalent to the 
VAS Z (A, a z ,5' , X{ n ), where 5' extends 5 by 5'(a z ) = (—1, 0, 0) (i.e., a z can never be fired). 

For a VAS 2 or a VAS V of dimension d, the reachability set Reach (V) and the cover 
Cover(V) of V are the following subsets of N rf : 

Reach(V) = {y G N d \ 3u e (AU {a z })* ,x m ^ y}, 
Cover(V) = |Reach(V). 
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We call elements of Reach (V) reachable states (also called reachable markings in related 
work). The reachability (resp. coverability) problem consists in deciding membership in 
Reach(V) (resp. in Cover(V)). Reachability is decidable for VAS [IB H3 US] and VAS 2 [33] El- 
Theorem 3.1. Given a VAS or VAS Z V, the reachability problem for V is decidable. 

Testing membership in the cover set is much easier, and one even gets a more precise 
result [251 [201 E7]: 

Theorem 3.2. Given a VAS V, one can effectively compute a (finite) basis of Cover(V). 

Observe that given a (finite) basis B of a downward closed set D C N d , one can effec- 
tively test membership in D, since D = N d (llB by ([22]) and ([23]). Therefore, Theorem [32] 
implies that one can effectively decide membership in Cover(V). 

Computing a finite basis of the cover makes it also possible to decide whether two VAS 
have the same cover, since from a finite basis, one can also compute the minimal basis, which 
is canonical. Likewise, one can decide inclusion of covers. Finally, Theorem 13.21 implies that 
one can decide place-boundedness, that is, whether the projection of Reach (V) on some given 
component is bounded. In the next three sections, we shall show that one can also effectively 
compute a finite basis for the cover of a VAS 2 . 

4. Limits of reachable states of a VAS 

As observed above, for M C N d , one can immediately construct an algorithm deciding 
membership in M from an algorithm deciding membership in Lim M, since M = N d nl_imM 
by (12. 2ft . However, the converse is not true. Let us explain two reasons for this. 

a. First, even if M is recursive, it may happen that Lim M is not. We recall here an example 
from [18} Prop. 2.4]. Let Tq,T\, ... be an effective enumeration of Turing machines. Let 
a(k,l) = \{j ^ k | Tj halts in at most £ steps on e}| and M = {(k,£,a(k,£)) \ k,£ ^ 0}. 
It is easy to describe an algorithm computing a(k,£) given k,£ € N, and therefore also 
an algorithm to decide membership in M. However, Lim M is not recursive, since the 
halting problem reduces to it. Indeed, [k, u, m) G Lim M means that exactly m machines 
among To, . . . ,Tf. halt on the empty word. Therefore, T/. halts on e if and only if there 
exists m ^ k + 1 such that (k, u, m) € Lim M and {k — 1, u),m — 1) € Lim M. 

b. Second, even if Lim M is recursive, one may not be able to effectively derive an algorithm 
deciding membership in Lim M from a description of M (such as a data structure, or an 
algorithm deciding membership in M). As an example, consider the reachability set M 
of a lossy counter machine (see again |31j, or |34J for a survey). An algorithm to decide 
membership of x in M is to compute the bases of the upward closed sets Pre*(t^) for 
% = 0, 1, 2, where Pre(AT) denotes the set of predecessors of X. The sequence stabilizes, 
since it consists only of upward closed sets. Moreover, due to the lossy behavior, M is 
downward closed. Therefore, it admits a finite basis B, so that Lim M = \,B is recursive. 
However, there is no algorithm taking as input a lossy counter machine and a vector 
x G N^,, and deciding membership of x in Lim iVf, where M is the reachability set. 
Indeed, the set M is infinite if and only if Lim M contains some vector of N^, having at 
least an u-component. Therefore, the existence of such an algorithm would imply that 
the boundedness problem (i.e., whether the reachability set is finite) is co-recursively 
enumerable, which is not the case: boundedness for lossy counter machines is S^-complete. 
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The main result of this section considers the case where M is the reachability set of a VAS V. 
Since Cover(V) = |Reach(V) = N d n Lim |Reach(V) = ~N d n |Lim Reach(V) (where the last 
two equalities follow from (|2,2p and (|2,5p ) , one can by Theorem 13.21 effectively compute a 
basis of JXim Reach(V). However, since Lim Reach(V) is not necessarily downward closed, 
this does not directly entail an algorithm for deciding membership in this set. 

Theorem 4.1. Given a VAS V and x € N^, one can decide whether x € Lim Reach(V). 

We establish Theorem 14. II by describing two semi-algorithms proving that Lim Reach (V) 
and its complement in are both recursively enumerable sets. Let us start with the 
most interesting direction. We shall prove that Lim Reach (V) is recursively enumerable, by 
introducing productive sequences, a notion inspired by Hauschildt [23J. 



Definition 4.1. Let V = (A, 5, Xi n ) be a VAS, and let tt — (uj)o^i^fc be a sequence of words 
over A. We say that tt is productive in V for a word v = cq • • • ap. € A* if the words 

u^a^i ■ ■ ■ a k v%, n ^ 1 

are all fireable from X{ n . 

In particular, if tt is productive for v, the state Xi n +5(v)+n5(Tr) is a reachable state in V, 
where 5(tt) = X^ = o^( M i)- Definition ^. ll shows that the set {(tt,v) \ tt productive in V for 
is co-recursively enumerable. The following characterization immediately gives an algorithm 
to decide membership in this set, showing that it is actually recursive. 

Lemma 4.2. A sequence tt = (tij)o^j^fc * s productive in V for a word a\ ■ ■ ■ if and only if 

(1) the partial sums 5(uq) + • • • + 5(uj) are nonnegative for every j £ {0, . . . , k}, and 

(2) the word UQa\U\ ■ ■ ■ atUk is fireable from Xj n . 

Proof. Let us introduce the states y = X{ n and fjj = X{ n + 5{a\ ■ ■ ■ dj) for j € {1, . . . , k}, 
and the partial sums X-\ = and Xj = S(uo) + • • • + 6(uj) for j £ {0, . . . , k}. We put 
u[— 1, n] = e, u[j, n] = Uq^u^ ■ ■ ■ a^u™ for j ^ 0, and v[j, n] = u\j, n]aj + \. 

If tt is productive for v = cq---afc, then u[fc,n] is fireable from Xi n for all n ^ 1. 
Therefore, u[j, n] is also fireable from Xi n for j ^ k. We deduce that Xi n +S(u[j, n]) = Uj+nXj 
is nonnegative for every n € N. In particular Xj ^ 0. We have proved (1) and (2) is obvious. 

Conversely, assume that (1) and (2) both hold. For all n ^ 1, we have to show that 
u[k,n] is fireable from x% n , i.e., that Xi n + S(w) ^ for any nonempty prefix w of u[A;,n]. 
Such a prefix is of the form v[j — 1, n]vF-u'- for some 0^j^k.0^p<n, and some prefix 
u'j of Uj. By rearranging terms, we obtain 

x in + S(v\j - 1, n]u?Uj) = x in + S^a^u™ ■ ■ ■ aj^u^ajvJjii'j) 

= x in + S(u aiui ■ ■ ■ aju'j) + (n - l)ajj-i + 8{v%) 
= x in + 8{u aiui ■ ■ ■ cijUj) + (n - p— l)x 3 -_i + pxj. 



By (1) we have Xj_i, Xj 0. By (2) the word UQa\U\ ■ ■ ■ a^u^ is fireable from Xj n , and in 
particular, Xi n + 5{uQa\Ui ■ ■ ■ aju'j) ^ 0. Therefore, Xi n + 5{v[n, j — l]u p -u'-) ^ 0, which proves 
that Upoqit] 1 • • • a k v2 is fireable from X{ n . We have shown that tt is productive for eq • • • etfc. d 
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We will now show in Proposition 14,41 below that limits of reachable states are witnessed 
by productive sequences. Its essential argument is Higman's Lemma. We recall that an 
ordering =<! is well if every infinite sequence (£ n )neN admits an infinite increasing subsequence 
(4i fe )fceN : @no ^ ^ ^n 2 " ■ The pointwise ordering over N d or over is well 
(Dickson's Lemma). 

Higman's Lemma. Let E be a (possibly infinite) set. Given an ordering =^ over E, let =<!* 
be the ordering over E* defined as follows: for u,v € E*, we have u v if u = a\ ■ ■ ■ a n 
with a,i € E, v = vobivi ■ ■ ■ v n -ib n v n , with € E*, bj € E, and for all i = 1, . . . , n, we have 
fflj ^ b{. In other words, u is obtained from v by removing some letters, and then replacing 
some of the remaining letters by smaller ones. Higman's Lemma is the following result. See 
for instance |10| for a proof. 

Lemma 4.3 (Higman). If =4 is a we ll ordering over E, then =4* is a well ordering over E*. 

We extend the multiplication over N w byw-0 = = 0- a; and oj ■ k = oj = k ■ oj if k ^ 0. 
This multiplication then extends componentwise to the scalar multiplication of Nf, by N w . 

Proposition 4.4. Let V = {A, 5, Xj n ) be a VAS. Then 

Lim Reach(V) = \x% n + S(v) + uj5(ir) \ v € A*and ir productive in V for «}. 

Proof. For the inclusion from right to left, if tt is a productive sequence for a word v, then 
Xi n +5(v)+u)5(ir) is the limit of the sequence (x n ) n (z^ with x n — Xj jn -\-5(v)-\-n5(^7r), which is a 
reachable state by Definition 14. II We prove the reverse inclusion thanks to Higman's lemma. 
We follow the approach of Jancar introduced in |24} Section 6]. 

Let us first introduce a well ordering C over Reach (V), using a temporary ordering =^!. 
Consider the infinite set E = A x N^. This set is well ordered by =<!, defined by: 

(a, y) =^ (b, z) if and only if a = b and y z. 

Since ^ is a well ordering, Higman's lemma shows that =<!* is a well ordering over E*. We 
associate to every reachable state y € Reach (V) a word a y in E* as follows: since y is 
reachable, the set V y = {v € A* \ Xi n A- y} is nonempty. Let us choose arbitrarily some v y 
in V y (the actual choice is irrelevant, one can choose for instance the minimal element of V y 
wrt. the lexicographic ordering). Let v y = a\ ■ ■ ■ a^, with k ^ and a% E A. We introduce 
the sequence (j/i)o<t<fe of states defined by y = Xi n , and y^ = X{ n + 5(a± ■ ■ ■ en) for i ^ 1. 
We let 

«y = (01,1/1) ' ' ' ( a k,yk)- 
We define the ordering C over Reach(V) by y C z if a y =3!* a z and y ^ z. Since the orderings 
=<;* over E* and ^ over N d are well, we deduce that C is a well ordering over Reach (V). 

Now, let us pick x S Lim Reach(V): x is the limit of a sequence (xk)keN of reachable 
states. By extracting a subsequence if necessary, one can assume that for every index i: 
(i) if x(i) < oj, then Xk(i) is constant, equal to x(i), and 
(ii) if a;(i) = w, then (xk(i))keN is strictly increasing. 
Denote by ay the word a Xj associated to the reachable state Xj . Since C is a well ordering, 
there exist m < n such that x m C x„. By construction of a m , there exists a word v = 
a± ■ ■ ■ Ofc with Oj E A such that the sequence (l/,)i<gj^fc defined by = ajj„ + <5(ai ■ ■ ■ a,j) for 
every j £ {1, . . . , k} satisfies: 

ct m = (ai,yx) ■ ■ ■ (afc,y fe ) 
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Since a m =4* a n and by definition of =^*, there exist a sequence (zj)isgj^fc of states with 
Uj ^ Zj, and a sequence (/3j)o$j<fc of words in E* such that the following equality holds: 

a n = • • • (a k ,z k )/3 k 

We call label of a word (6j,ti) • • • (bi,tg) over E the word b\---bi over A Consider the 
sequence 7r = (uj)o^j^k where Uj is the label of /3j. Since a; m and a; n are reachable, we have 
by definition of a m and c%: 

(4.1) 

MOll u k-l a k U k y ' 

•Kin ^ ^-1 ' ' ' ^ 2fc -> a; n 

From (|4.ip . we obtain in particular 

Zj = Vj + S(u ) H h for every j G {1, . . . , k} (4.2) 

and in the same way, 

x n = x m + 5(tt) (4.3) 
Using (J4~2j) with ^ ^ Zj for 1 j fc, and ([4~3|) with a; m ^ a; n , we deduce that 7r satisfies 



property (1) of Lemma [4.21 Since, by (|4.1|) . it also satisfies (2), it is productive for v. 



It remains to prove that x = y where y = Xi n + 5{v) + uj5(tt). Let i G {1, . . . , d}. 

• If a;(i) < uj then by (i) we get x m {i) = x(i) = x n (i), so using (|4.3p . we obtain 
<5(-7r)(i) = 0. Since we have x n = X{ n + 5(v) + 5(7r) by (14. lj) . we deduce that 
x{i) = x n (i) = x in {i) + 5(v)(i) = y(i). 

• If x(i) = uj, then by (ii) x m (i) < x n (i). We deduce from (I4.3|) that 5(ir)(i) > 0. 
Therefore, :r(z) = uj = y(i). 

Finally, x = y, and we have proved that there exists a productive sequence tt for a word v 
such that x = X{ n + 5(v) + w5(7r). □ 

Proposition 14.41 and Lemma [4.21 provide a semi- algorithm to test whether a given vector 
x £ NjJ belongs to LimReach(V): it suffices to enumerate the pairs (tt,v), where tt is 
productive for v, and to check whether x = Xi n + 5(v) + oj5(tt). 

It is easier to prove that the complement of Lim Reach(V) is recursively enumerable. 
Consider y 6 NjJ. We introduce d distinct additional elements b\, . . . ,bd A. Let 1? = 
{&l, . . . , 6^}. We now introduce the VAS V y = (A tfcl 5, 5 y ,Xi n }, where 5 y extends 6 by: 




if t/(i) < w, 
if y(i) = uj. 



Finally, we define from y a sequence (y^e converging to y, by y^{i) 



y(i) if y(i) < uj, 
t if y{i) = uj. 



Lemma 4.5. Lei V y and (y^i constructed from y as above. Then, 

y Lim Reach(V) 3£ G N, Reach(V y ). (4.4) 
In particular, the complement o/Lim Reach(V) is effectively recursively enumerable. 
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Proof. We prove the following, which is equivalent to (|4.4|) : 

y G Lim Reach(V) <=^ W G N, y e £ Reach(V w ). 

Assume that y G Lim Reach(V). Fix £ G N. There exists a sequence (z n ) n of elements of 
Reach (V) such that lim n z n = y, so for n large enough, we have for alH = 1, . . . , d: 

• z n (i) = y(i) = y e (i) if y(i) < uj, 

• z n (i) ^ £ = y e (i) if y(i) = uj. 

Then z n A- y t in V y , with u = Yii=i hi Zn ®~ ■ Since z n is reachable from Xi n (already 
in V), we deduce that y t G Reach(V y ). 

Conversely, assume that y^ G Reach (V y ) for all £, and let ug G (A U B)* such that 
x in ye, hi Vy Consider the word vg obtained from ug by erasing all letters of B. Since 
5(b) sj for b £ B, the word is still fireable from Xi n , so that = Xi n + 5(vg) G Reach (V). 
Moreover, by definition of V y , z^(i) = yg(i) if y(i) < oj and yg(i) ^ z^(i) otherwise. 
Therefore, lim^z^ = lim^y^ = y, and it follows that y G Lim Reach(V). 

This shows (I4.4h . Hence, we can enumerate vectors f/^ and test, for each y e , its mem- 
bership in Reach (Vy). This proves that Lim Reach (V) is co-recursively enumerable. □ 

Theorem 14.11 now follows from Proposition 14.41 and Lemma 14.51 



5. Refined and filtered covers 

In this section, we introduce two new notions of covers: refined and filtered covers. Both 
are parameterized, and the following inclusions will hold, regardless of the parameters: 

Reach(V) C RefinedCover(V) C Cover(V), and FilteredCover(V) C Cover(V) 

Let us first introduce the refined cover, a set hybrid between the reachability and cover 
sets, that to our knowledge has not yet been considered. Instead of the downward closure 
Cover(V) of Reach(V) wrt. the pointwise ordering ^, we consider 

Cover<; p (V) = l <p Reach (V), 

that is, we replace ^ with an ordering ^p over parameterized by a set of "positions" 
PQ{l,...,d}: 

\x(i)=y(i) for % G P, 
x y if < 

I x(i) ^ y(i) for i f. P. 

The set P contains the components for which we insist on keeping equality. Thus, ^ 
is the usual pointwise ordering ^, while ^{i ,n boils down to equality. Notice that ^p is 
not a well ordering, except if P = (e.g., N ordered by ^{i} consists only of incomparable 
elements, since in this case, ^{i} is just equality). 

The ordering ^{i} will be abbreviated as ^i. It is a natural order to study for a VAS 2 
(recall that the zero-test occurs on the first component). Indeed, the transition relation of 
a VAS 2 is monotonic with respect to this order: if x — >■ x' and x y, then there exists y' 
with y A- y' and x' y' . In words, from a ^i-larger state than x, one can perform the 
same transitions as from x, and reach a state ^i-above that the one reached from x. This 
is clearly not the case if one uses the pointwise ordering ^ instead of some zero-tests 
may fail from the largest state and succeed from the smallest one. 
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More precisely, testing if Cover^ 1 (V) contains a vector whose first component is is 
what we need to design our algorithm computing the cover of a VAS with one zero test. 
Unfortunately, the set Cover<j 1 (V) cannot be represented by a finite set of ^i-maximal 
elements, since it may well have infinitely many of them. Actually, the following theorem 
shows that we cannot find a sensible way to compute a representation of this set, as any 
representation would not allow to test for equality. 

Theorem 5.1. Given two VASVi, V2, it is undecidable whether Cover s g 1 (Vi) = Cover-g^V^). 

Proof. We reduce the equality problem Reach(Vi) = Reach(V2), which is known to be unde- 
cidable [H [22], to the problem of the statement. Let us first consider a VAS V = (A, 5, Xi n ) 
of dimension d. We introduce a VAS V = (A, 5' , x' in ) of dimension d + 1 that counts in the 
first component the sum of the other components. Formally, x' in = (Yli=i x in{i), x in) an d 
S'(a) = (Yli=i <K a )W> ^( a )) f° r every a G A. Observe that the following equivalence holds: 

d 

(n,x) G Reach(V') <J=> x G Reach(V) and n = x{i). 

i=i 

Finally, consider two VAS Vi and V2, and just observe that Reach(Vi) = Reach(V2) if and 
only if Cover^(Vi) = Cover^(V 2 ). □ 

So, we cannot hope for a useful representation of the sets Cover^ p (V). However, one 
can capture the needed information differently, by replacing the downward closure in 
Cover^ p (V) = J,^ p Reach (V) with another operator parameterized by a vector / of 
(the letter / stands for filter). Informally, ij-^M is a downward closure taking into account 
only elements of M that agree with / on its finite components. Other elements will just be 
discarded. Formally, for / G Nf, and M C Nf,, we define the filtered cover JJ-^iVf by: 

d 

Filter(M,/) = [x G M \ /\[f(i) < u => x(i) = f(i)}}, 

i=i 

!l f M= |Filter(M,/). 

Observe that ij-^M is a downward closed subset of ^M, and that §-( w ,w,...,lS)M = \M. 
Elements of the minimal basis of ij-^M agree with / on components i where f(i) < uj. One 
can check that the limit and filter operators commute: 

Filter(Lim M, f) = Lim Filter (M, /). 

Since the limit and the downward closure operators also commute (see (|2,5p ). we obtain 

JljLimM = Lim^M. (5.1) 

The motivation for considering filtered covers is that, for / = (0,w,...,w) G and 
M = Reach (V) where V is a VAS of dimension d, the set ij-fM captures all information 
we need to overcome the difficulty described on page [3l Moreover, contrary to the refined 
cover of a VAS, all its filtered covers are computable, as stated in Theorem 15.21 below. Our 
goal in this section is to describe an algorithm computing a filtered cover of a VAS. Our 
algorithm both refines Karp and Miller's one to compute the usual cover, and generalizes 
Theorem 14.11 

Theorem 5.2. Let V be a VAS. Given f G NjJ, one can compute a basis of J|j Reach (V). 
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Karp and Miller's algorithm computing Cover(V) corresponds to the case / = (u, . . . ,u>). 
Since M and Lim M have the same bases (by definition (|2.3p of a basis), computing a 
basis of JJ-jReach(V) is the same as computing a basis of Lim JJ-j Reach (V), i.e., by (|5.ip . of 
4^ Lim Reach (V). We first reduce this computation to a decision problem, as in [35, Th. 2.10]. 

For M C Nf,, let us introduce the following set: 

F{M) = {(f,y) G x n£ | y G J^M}. 

Lemma 5.3. Lei iVf C Nf, 6e a limit closed set. From an algorithm solving the membership 
problem for ^(M), one can construct an algorithm which, given an input vector f G N d , 
outputs a basis ofij-^M. 

Proof. Observe that ij-fM has the same bases as N d n JJ-j-M". Now, if D C N d is downward 
closed, one can compute a basis Br> C Nf, of D from a basis B\j of its (upward closed) 
complement U = N d \ D: an algorithm generates all candidates Bfl for a basis oi D, (i.e., 
all finite subsets of the countable set Nf,), and checks for each candidate whether it is indeed 
a basis of D, i.e., that the union of the sets N d n \,B D and N d n t#t/ is N d , and that their 
intersection is empty. This property is Presburger definable, whence decidable. 

Hence, to compute a basis of JJ^iW given /, it suffices to compute a basis of N d \ JJ-jiW. 
Now, |35| Th. 2.10] describes an algorithm computing such a basis from an algorithm decid- 
ing, given y G N d , whether (N d \ ij-fM) H^y = 0, or equivalently, whether N d n|y C JJ-jiW. 
Note that y may have some components whose value is uj, so, if M were an arbitrary set, it 
might happen that \,y 52 ty-fM- However, M is limit closed, and therefore N d Pi iy C Ij-^M 
is equivalent to y G JJ-jiW, that is, to (f,y) G T{M). □ 

Notice that Lemma [5^3] requires as input an algorithm solving the membership problem 
in J-{M), i.e., a unique algorithm solving the membership of y in ij-^M where / is an input 
parameter. This hypothesis cannot be weakened by just assuming that for each / we have 
an algorithm deciding the membership of y in ij-^M. In fact this hypothesis is a tautology, 
since the set JJ-^-M" is recursive, as every downward closed set. The lemma becomes clearly 
wrong without any condition on M. 

We will now reduce membership in T{ Lim Reach(V)) to a similar problem involving 
refined covers. The next lemma provides a relationship between the sets JJ-^Af and ^^ p M. 

Lemma 5.4. Let M C N£, P Q {1, . . . ,d}, and y G ~N d . Define f G by 

m = [vii) if it P, and 

I u) otherwise. 

Then we have: 

y G i^ p M y G il f M. (5.3) 

Proof. Assume first that y G ^^ p M. Then, there exists x G M such that y x. We 
prove that x G Filter(7Vf, /) by observing that if i is an index such that /(i) < u, then 
i G P and /(i) = y(i) < u. From i G P we get x(i) = y(i). Hence x(i) = f(i) and we have 
proved that x G Filter(iW, /). Since y ^ x, we get y G JJ-jM". 

Conversely, assume that G JJ-^iW: there exists a; G Filter (iVf, /) such that y ^ x. Let 
i £ P. If y(i) = w then from y(i) ^ a;(i) we get y(i) = x(i). If y{i) < u then /(i) = y(i) 
and form x G Filter(iW, /) we get x{i) = f(i). Hence in both cases, we have x{i) = y(i). 
We have proved that y x. Therefore y G 4,^ p iW. □ 



MODEL CHECKING VECTOR ADDITION SYSTEMS WITH ONE ZERO-TEST 



15 



Let us now introduce another set, again for a set M C Nf,: 

V(M) = {(P,y) G x | y G | <p M} 

Corollary 5.5 (of Lemma I5.4p . T/ie membership problems in V(M) and in P(iW") are 
inter-reducible. Both reductions are effective: from an algorithm solving the first problem, 
we construct an algorithm solving the second one. 

Proof. From P C {l,...,d} and y £ N^, define / G Nf, by ([521). From ([5JB]), we deduce 
that (P, y) G P(M) if and only if (/, y) G P(M). 

Conversely, let / G N|J and y G NjJ. Observe that if y ^ / then y JJ-yiW. So we can 
assume that y ^ /. We introduce the set P = |i G {1, . . . ,d} \ f(i) < w} and the vector 
z G Nf, defined by z(i) = f(i) if i G P and z(i) = y{i) otherwise. We have y G \\-fM if 
and only if z G JJ-^iVf. Moreover, from Lemma 15.41 we deduce that z G JJ-jiVf if and only if 
z G i <p M. In summary, (y, f) G F(M) if and only if y < / and (z, P) G V{M). □ 

To establish Theorem 15. 2( it remains, in view of Lemma 15.31 and Corollary I5.5( to find 
an algorithm solving membership to P( Lim Reach(V)). This is obtained by first proving 
that, for a VAS Vp suitably constructed from V and P, we have 

Reach (V P ) = Cover<; p (V) (5.4) 

which implies Lim Reach(Vp) = Lim Cover<g p (V) = Lim Reach (V) = |^ p Lim Reach(V). 
Then, Theorem 14.11 applied to Vp will give an algorithm to decide membership in this set. 
Since there is a finite number of subsets P of {1, . . . , d}, this yields an algorithm to decide 
membership in V{ Lim Reach(V)). 

So let V = (A, 8, Xi n ) be a VAS and P Q {1, . . . ,d}, and let us define a VAS Vp satisfy- 
ing (|5,4p . We consider d distinct additional elements b±, . . . , g" A. Let B = {b\, . . . , bd}- 
We consider the VAS Vp = (A l+l B,5p, X{ n ), where 5p extends 5 by: 

Jo if ieP 
I -e; if i£ P. 
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Lemma 5.6. Let Vp constructed from V and P as above. Then Cover^ p (V) = Reach(Vp). 

Proof. Let x G Cover^ p (V). By definition, there exists y G Reach (V) such that x ^p y. 
Note that y G Reach(Vp), and that y A x in V P with u = ]\ d i=l bf t} ~ x{i \ so x G Reach(Vp). 
Conversely let x G Reach(Vp), and u € (Au B)* such that X{ n — >y P x. Let v be obtained 
from u by erasing all letters of B. Since 5p(b) ^ for b G P, the word t> is fireable from £Cj n . 
Thus y = Xi n + 5(v) G Reach(V). By definition of Vp we have x ^p y, so x G Cover^ p (V). □ 

As explained above, Theorem 15.21 is now established, by combining Lemmas 15.31 and 
Corollary 15.51 applied to M = Lim Reach (V), as well as Lemma 15.61 



6. Computing the cover of a VAS with one zero-test 
This section describes an algorithm computing a basis of the cover of a VAS 2 given as input. 

It will be convenient to consider VAS or VAS Z whose initial state belongs to Nf,. The 
semantics given by (13. ip is generalized by extending addition to N^, letting uj+n = n+u = uj 
for all n G Z. Notice that all results obtained so far for a VAS, and in particular Theorem 1 5. 2 [ 
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extend to VAS with such generalized initial states. Indeed, an to value in some component 
of Xi n remains frozen to to, whatever action is executed, and can therefore be safely ignored. 

We introduce a notation to change the initial state of a VAS/VAS 2 V. For x £ NjJ, we 
let V(x) be the VAS/VAS 2 obtained from V by replacing the initial state X{ n by x. 

In this section, we fix a VAS 2 V z = (A,a z ,5,Xi n ). To simplify the presentation, we 
assume without loss of generality that x in e {0} x N d ~\ and that 5(a z ) £ {0} x Z d_1 . In 
the sequel, we denote by V = (A, 5, Xi n ) the VAS obtained from V z by removing the zero test. 
We shall work with a single filter throughout the section: we introduce / = (0, u>, . . . ,to). 

Input/output of the algorithm. Our algorithm is inspired by Karp and Miller's one for 
a VAS |25| . Given as input a VAS 2 V z , it builds a finite tree with nodes labeled by vectors 
in {0} x Nf, -1 , such that when the algorithm terminates: 

The set R of node labels is a basis of JJ-jReach(V 2 ). (*) 

Observe that, at the end of the algorithm, R is not a basis of the whole cover of V z , but 
only a basis of an /-filtered cover of V z . 

Let us first explain how to compute from R a basis of Cover (V z ). If x € Cover (V z ), 
then there exist u £ A* and y £ N rf such that X{ n A- y ^ x. Let us factorize u = U\U2, 
where u\ ends with the last zero test a z , or is empty if there is no zero-test. Then, we 
have Xi n r V ^ x , with r G {0} x N ' -1 (if u\ is empty, we use the assumption 



x in G {0} x N^ 1 ). In particular, r £ J| J Reach(V z ) = IR O N d by ©. since no zero- 



test occurs in u-i, the state y reached after firing u belongs to Reach(V(r)), and therefore, 
x £ 4,Reach(V(r)). This simple remark yields the following result: 

Lemma 6.1. If R is a basis of JJ.^ Reach (V z ), then Cover(V z ) = [j reR lReach(V(r)). 

In words, we obtain a basis of Cover(V 2 ) as the union of all bases output by the usual 
Karp-Miller algorithm run on inputs V(r), for r £ R. Let us now explain how to compute R. 

Outline of the algorithm. To build a tree whose set of labels is R C {0} x NjJ, the 
algorithm works top-down from the root labeled by the initial state X in G {0} X N* -1 . ItS 
main loop is similar to that of the Karp-Miller algorithm: for each leaf of the tree, 

(1) if the label of the leaf already occurs above it along the path to the root, then the leaf 
is not expanded, and will remain a leaf during the execution of the algorithm. 

(2) Otherwise, we try to expand the tree from the leaf. As in the Karp-Miller algorithm: 

a. we perform some standard acceleration, which is explained below, 

b. we then expand the leaf, adding new children to it. However, unlike the Karp-Miller 
algorithm, which fires all original transitions of the VAS from the label of the leaf, 
we add two kinds of children to the current leaf labeled x £ {0} x Nf^ 1 : 

(i) one child corresponding to firing the zero-test from the leaf label, if possible, 
(m) several children representing a basis of JJ.^Reach(V(a;)). 



Note that Step (ii) involves V and not V z , i.e., the zero-test is not considered during this step. 
It is a macro-step computing itself a basis of a cover, to be used in the whole computation. 
In the particular case where the VAS 2 is obtained by just adding to states of a VAS an extra 
first component, left untouched (therefore remaining forever) and where the zero-test is 



never fired, step (ii) actually computes in one shot the cover of the original VAS (completed 



with the first component, left to 0). Theorem 15.21 shows that Step (ii) is effective. 
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We now enter the details of the algorithm. At any step of the execution, in the tree built 
by the algorithm, every ancestor node n x of a node n y satisfies the invariant x =>• y where 
x, y are the labels of n x ,n y and where is the binary relation defined over {0} x Nf," 1 by: 

x =4> y if y £ J|jLim Reach(V z (a:)). 
By the next lemma, it is sufficient to maintain this invariant along each parent-child edge. 

Lemma 6.2. The binary relation over {0} x N^ _1 is reflexive and transitive. 

The proof of Lemma 16.21 is itself based on the following intermediate statement. To 
shorten notation, for a set M C Nf,, we let Reach M = [j xeM Reach (V z (x)) denote the set 
of states that can be reached in V z from any initial vector chosen in M (in this notation 
used only in Lemmas 16.21 and I6.3| the VAS Z will always be V z , and is therefore omitted). 

Lemma 6.3. Let MpJ, Then, we have Lim Reach Lim M = Lim Reach M. 

Proof. Since M C Lim M , we have Lim Reach M C Lim Reach Lim M . For the other inclu- 
sion, pick x £ Lim Reach Lim M . This means that we have the following situation 

Vn -~* V > x n — * X, 

with y n £ M, y, x n £ and u n € A* for all n. 

Since lim n y n = y, we may assume that y n (i) = y(i) for all n if y(i) < oj, and that 
(y n (i)) n is strictly increasing if y(i) = to. Let k n be a strictly increasing sequence such that 
k n ^ n + maxi^j^d \$( u n)(i)\, and let y' n = y kn . Clearly, lim n y' n = y. By construction, u n 
is fireable from y' n : let y' n x' n . We then have x' n {i) = x n (i) if y(i) < to, and x' n (i) ^ n 
if y(i) = to. So, x = lim n x' n £ Lim Reach M. □ 

Proof of Lemma \6.SX Reflexivity is obvious. For transitivity, assume that x y =4> z. Then 
by definition of =4>, we have z £ Lim Reach(V z (y)) and y £ J|jLim Reach (V z (x)). Since 
/ = (0, to, . . . , w), we can use monotony to obtain JJ.^ Reach (V z (x)) = Reach ^ReachC^ai)). 
We deduce from this equality that 

JI^Lim |LjReach(V z (a;)) = -||jLim Reach J|^Reach(V 2 (a;)) by applying the monotonous 

operator J^jLim, 

= |LjLim Reach Lim ^ fReac\\(V z {x)) by Lemma [6731 

Since Lim and ^commute (see (|5.ip ). and since the operator JJ-jis obviously idempotent, we 
finally get J|^Lim Reach(V z (a;)) = JJ-/Lim Reach J|jLim Reach (V z (a:)). Now, the hypotheses 
imply that z £ J|jLim Reach JJ-jLim Reach (V z (x)). We deduce that z £ |L^Lim Reach (V 2 {x)), 

that is, x =4» z. □ 

Assume now that x £ {0} x Nf, -1 labels a leaf. We create a child of this leaf if the vector 
y = x + 5(a z ) is nonnegative. Note that in this case y £ {0} x N^ -1 , since 5(a z )(l) = 0. 
We do not violate the invariant when creating the child labeled y since x y. We also add 
new children labeled by elements of the minimal basis B{x) of -li^Lim Reach(V(a;)). Since 
N^nJJ^Lim Reach(V(«)) is equal to N d n ^ Reach(V(x)), by TheoremETJ one can compute 

B(x). Observe that x => b for every b £ B(x), so that the invariant is still fulfilled after 
adding elements of B(x). 
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The termination of the algorithm is obtained by introducing an acceleration operator V. 
For x, y G {0} x Nf, -1 such that x ^ y, we define the vector x V y G {0} x Nf, -1 by: 



(xVy)(i) 



uj if x(i) < y(i) 
x(i) if x(i) = y(i). 
Let us first verify that performing acceleration cannot violate the invariant. 
Lemma 6.4. // x y with x ^ y then x =4> (x V y). 

Proof. If x y, then y G J^jLim Reach (V z (x)), and we obtain the following situation 

u„ n~¥oo 

x y z n --->■ z^y, 

with u n £ (i U { a z})* an d 2,2n ^ {0} x N* -1 . Since z ^ y ^ x, there exists ^ such that 
Zi{i) ^ a:(i) for all indices i satisfying x(i) < lo, and further Zi(i) > x(i) if a:(i) < y(i). 
Therefore, zg ^ x, and as we have ze(l) = x(l) = 0, we deduce that is fireable from x 
for all k. Call the state reached from x after firing ify. Then we have G {0} x N^ -1 
and linu^oo ^ xV y, which proves a; V y G J|jLim Reach (V z (a)). □ 



Algorithm 1 An algorithm to compute a basis of JJ-^ Reach (V z ) 

• Inputs : A VAS Z V z such that x in G {0} x N d_1 and 8[a z ) G {0} x Z'* -1 . 

• Outputs : a finite subset of {0} x NjJ -1 . 

• Internal Variables : 

— T, a tree labeled by elements of Nf,. 

— N ', a set of nodes. 

• Algorithm : 

1: Initialize T as a single root nj n , labeled by a:j„ 

2: AT G- {n in } 

3: while A" 7^ do 



4: Choose a node n from A" 

5: A"^-A"\{n} 

6: x <— label(n) 

7: if no strict ancestor of n has label x then 

8: for all strict ancestor no of n do [> Acceleration, sfep |2tei 

9: ico ^— label(no) 

10: if a^o ^ a? then 

11: a? «— xq V a; 

12: Replace the label of n by x 

13: if a; + 5(a^) ^ then > Expand by zero-test, step \2lb\(i)] 

14: Create a new node in T labeled by x + <5(a z ), as a child of n 

15: Add this node to M 

16: for all b G -B(a) do > Expand by B(x), step \2lb\(ii)] 

17: Create a new node in T labeled by b, as a child of n 

18: Add this node to M 



19: R <— {label(n) \ n G nodes(T)} 
20: return 
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Algorithm [T] computes R. If every leaf has a (strict) ancestor with the same label, 
then it terminates and returns the current set of node labels. If it finds some leaf n whose 
ancestors carry different labels than that of n, it performs acceleration at n (step [2fel of the 
outline): while n has an ancestor uq labeled by a vector Xq such that Xo ^ x < Xo V x, it 
replaces the label x of the leaf n with Xq V x. 

From Lemma [6.41 we deduce that the invariant still holds. Since this loop just replaces 
some components by w, it terminates. Finally, once the label x of n has been updated, the 
algorithm creates a new child labeled by x + S(a z ) if this vector is nonnegative (step !2l^)(i)p , 
and it creates a new child of n labeled by b for each b G B(x) (step [2"H)(ii) ). Note that all 
labels belong to {0} x N^, since {x in ,5(a z )} U B(x) C {0} x N^. 

Proposition 6.5. Algorithm^ terminates, and it returns a finite set R such that 

IR = JJ-jLim Reach(V 2 ). (6.1) 

Proof. The termination of the algorithm follows from Konig's lemma. If the algorithm does 
not terminate, then it would generate an infinite tree. Because this tree has a finite branching 
degree, by Konig's lemma, there is an infinite branch. Since ^ is a well-ordering over 
{0} x Nf, -1 , this implies that we can extract from this infinite branch an infinite increasing 
subsequence. However, since we add children to a leaf only if there does not exist a strict 
ancestor labeled by the same vector, this sequence cannot contain the same vector twice, and 
must therefore be strictly increasing. But, due to the use of the operator V, a component 
with an integer is replaced by u at every acceleration step. Because the number of u>'s in the 
vectors labeling a branch cannot decrease, we obtain a contradiction. Let us now prove |[6.1|) . 

C Let n be a node of T, whose label is x. By Lemmas 16.21 and 16.41 we have Xi n =4> x. By 

definition of we conclude that x G -l^Lim Reach(V 2 ). 
5 We shall show JJ.^Reach(V 2 ) C ]^R. The desired inclusion follows by taking limits of both 

sides, since Lim JJ-/Reach(V z ) = JJ-^Lim Reach(V 2 ) and Lim|i? = \,R (since R is finite). 

So let (0,a) G $ f Reach (V 2 ): there exist a! G N d_1 with a ^ a' and u G (A U {a z })* 

such that Xi n (0, ct')- We will show by induction on the length of u that (0, a') G ]^R. 
If u is empty, just observe that o^in 1cl1)g1s the root, hence Xi n G R. Otherwise, u — va 
and we have: 

x m ^ (0,(3)^(0, a') 
The induction hypothesis yields (0, /3) G iR. Hence, there is in the tree a node labeled 
7^/3. Since a node label cannot be modified after acceleration (lines [HI to Hip, this 
means that instructions at lines [13] and [16] have been executed when the variable x was 
set to 7, and this ensures that a' G iR. 

We have proved that Algorithm [T] computes a basis R of JJ-/Reach(V 2 ). □ 

Proposition 16.51 and Lemma 16.11 finally imply the central theorem of this paper: 

Theorem 6.6. Given a VAS Z V z , one can effectively compute the minimal basis o/Cover(V 2 ). 

This theorem solves the place-boundedness problem for VAS 2 . For vector addition 
systems, it can be transferred to obtain model-checking algorithms. We investigate model- 
checking problems in the presence of one zero-test in the next section. However, we shall 
use the decidability of the reachability problem instead of Theorem 16.61 



20 



REMI BONNET, ALAIN FINKEL, JEROME LEROUX, AND MARC ZEITOUN 



7. Repeated Control State Reachability is decidable for VASS 2 

Vector addition systems can be extended with control flow graphs. Such a control flow graph 
is given by a finite set of control states and a finite set of transitions labeled by actions. 
This model is called Vector Addition Systems with States (VASS for short). If instead of a 
VAS, we enrich a VAS 2 with a control flow graph, we obtain a Vector Addition System with 
States and one zero-test (VASS 2 for short). These models are formally defined in the sequel. 

For these systems, the repeated control state reachability consists in deciding whether a 
given control state can be visited infinitely often along some run. This problem is interesting 
since a number of model-checking problems, such as LTL model-checking, are reducible to 
it. For the class of VASS, the repeated control state reachability problem is known to be 
decidable thanks to a reduction to the computation of the cover set. In this section, we extend 
this decidability result for the class of VASS 2 . However, our proof relies on a reduction to the 
reachability problem for VASS 2 |33[ 17]. We leave as an open question whether the repeated 
control state reachability for VASS 2 can be reduced to the computation of the cover. 

Let us first recall the classical extensions of VAS and VAS 2 with States, respectively 
written VASS and VASS 2 . States can be seen as mutually-exclusive, 1-bounded counters, 
and hence are only used as a syntactic convenience. 

Definition 7.1. (VASS 2 ) A Vector Addition System with States and one zero-test (VASS Z ) 
of dimension d is a tuple V = (A,a z ,5,Xi n ,Q,T,qi n ), where (A, a z , 5, Xi„) is a VAS 2 of 
dimension d, Q is a non-empty finite set of control states, TCQx(AU { a z}) x Q is a finite 
set of transitions, and qi n £ Q is the initial control state. 

A Vector Addition System with States (VASS) is defined similarly from a VAS (^4, d, Xi n ), 
with T C Q x A x Q, and can be thought of as a VASS 2 where the action o 2 is not used. 
The VASS 2 semantics is defined as follows. Let us call state any pair 

VASS 2 of dimension d induces a transition system over the set of states, given for every 
a £ A U {a z } by: 

(p, x) (q, y) if (p, a,q) £ T and x y 
These relations extend uniquely into relations — — > over the set of states, for w £ (Au{a z })* , 
by requiring that is the identity relation and WlW2 y \ s the composition W1 > o 2 > , 
for 101,102 £ (A U {a z })* . The reachability relation, denoted by — — > is defined as the union 
of all relations w > , when w ranges over (A U {a z })* . We also introduce the relation — ^ 
defined as the union of all relations — when w ranges over (A U {a 2 }) + . 

A control state qj £ Q is said to be visited infinitely often if there exists an infi- 
nite sequence (sBj)j>o of vectors Xj £ N d such that (qi n ,Xin) {Qf, x i) an d such that 
(qj,Xj) — — > (qf,Xj + \) for all j > 0. The repeated control state reachability consists in 
deciding whether a given control state qf is visited infinitely often. 

We first reduce the repeated control state reachability to a simpler property. 

Lemma 7.1. Let V = (A,a z ,S,Xi n ,Q,T,qi n ) be a VASS Z of dimension d. A control state 
qt is visited infinitely often if and only if there exist x,y £ N d such that (g, n ,£C, n ) — — » 
(qj,x) > (qf,y), and one of the following conditions is satisfied: 

(i) we have x ^ y and w £ A + , or 
(ii) we have x y and w (Au {a z }) + . 
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Proof. Naturally, if (i) or (ii) holds, then qj is visited infinitely often by monotony of >. 



Conversely, assume that gj is visited infinitely often. There exists an infinite sequence 
(xj)j>0 of vectors Xj G N d , a word wq G (A U {a z })* such that (qi n , Xin) W ° > (<?/) x i), an d 
an infinite sequence (wj)j > Q of words G (AU {a z }) + such that (qj,Xj) — (qf,Xj+i) 
for every j > 0. We introduce the set J of indexes j > such that a z occurs in Wj. We 
distinguish two cases according to whether J is finite or infinite. 

Assume first that J is finite. By replacing wq with w$ - ■ ■ w m , where m = max J, and 
W£ with w m+ £ for I > 0, we may assume without loss of generality that J = 0, i.e., that 
Wj G A + for all j > 0. By Dickson's lemma, there exist positive integers j < k such that 

Xj ^ Xk- We deduce that (i) holds, by observing that (qi n ,Xi n ) — (qf,x) > (qj,y) with 

v = wq . . . Wj-i, w = Wj . . . Wk-i, x = Xj and y = x^. 

Assume now that J is infinite. By suitably concatenating some words Wj, we can assume 
without loss of generality that a z occurs in Wj for every j > 0. This means that Wj can be 
decomposed into Wj = Uja z Vj for some words Uj,Vj G (A U {a z })* . Hence there exists a 

state (qj,yj) such that (qj,Xj) — ' * ) (qj,yj) — (qf,Xj + \). Dickson's lemma shows that 
there exist j < k such that y ^ y k and qj = g&. Since the vectors y^ and y k appear just 
after the zero test a z , we deduce that y -(0) = y k (Q), so yj y k . Let z = y k — yj. Note 
that we have: 

[qin, Xin) > Wi^i) > {Qf,Xj+l) > Vlk^Vk) 



Now we use monotony: since (qj,yj) > (qf ,Xj + \), yj y k , and g& = qj, we get 

(<?fc> l/jfe) — ^ + «)■ Therefore (gj n , jc in ) (g/, a;) (<?/, 2/) with v = w ...Wj, 

w = Wj+i . . . Wk-iUk(i z Vj, x = Xj+i, and y = Xj+i + z. □ 

Theorem 7.2. The repeated control state reachability problem is decidable for VASS Z . 

Proof. Consider a VASS^ V = (A,a z ,5,Xi n ,Q,T,qi n ) of dimension d and a control state 
g/ G Q. Without loss of generality, by introducing some extra control states and actions, we 
can assume that 5(a z ) is the zero vector. 

We construct from V a VASS Z V' = {A' , a z , 5' , Q', T", gj n ) of dimension 2d as follows. We 



duplicate the set of control states Q into two additional copies for simulating conditions (i) 



and (ii) of Lemma 17.11 These copies are denoted by Qu\ and Q(u), and the copies of a 
control state q G Q are denoted by gm and gj-jj). We define Q' = Q U U We 
duplicate the set of actions A into two additional copies Au\ and Ar^y The copies of an 
action a G A are denoted by au\ and afe) . We introduce the set of transitions 



T (i) = {(P(i), a (i),Q(i)) \ (p, a, q) £ T A a £ A} U {(g/, a (i) , g w ) | (g/,a,g) G T A a G A}, 
%) = { (P(«) ><»(«)> 9(«)) | (p,a,g) g T} u {(g/,a(ii),g(M)) | (g/,a,g) g T}, 

where (a z )(jj) denotes a z . Observe that transitions in are not labeled by the zero-test a z . 

The set of transitions of V' is T' = T U U Tu{\ . The displacement function 6' is defined by 

5'(a) = (5(a), 6(a)), and ^'(a^)) = ^(an^) = (5(a), 0) for every a £ A, and <5'(a z ) = (0,0). 

Now just observe that for every x, y G N d , we have: 

(i) There exists db run in V of the form (^n? 35 in) — > (lfi x ) > (q, y) such that w G A + 

if and only if (gm, y, x) is reachable in V'. 

(ii) There exists a run in V of the form (qi n ,Xi n ) — — » (qf,x) — (g, y) such that 
it) G (^4 U if and only if (q^,y,x) is reachable in V'. 
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From Lemma 17.11 we deduce that qf is a repeated control state in V if and only there exists 
for V' a reachable state of the form ((qf)u\,y,x) with x ^ y, or a reachable state of the 
form ({qf)(u),y,x) with x ^ y. 

We reduce these two problems to the reachability problem for a VASS 2 V" obtained 
from V' by adding two extra states r^ and rr^, two extra transitions ((<7/)(i), (0, 0), /Vj)) 
and ((<?/)(«), (0, 0), r(jj)), and two extra cycles on r(j) and r(jj) that suitably decrease the 
counters, in such a way that 

- ((qf)^,y, x) with x ^ y is reachable in V' if and only if (/*(»), 0, 0) is reachable in V", and 

- ((qf) (a) , y , x) with a; y is reachable in V if an only if (r(jj),0,0) is reachable in V". 
We have reduced the repeated control state reachability problem to the reachability problem 
for VASS 2 , which is decidable [331 E]- □ 

A classical application of the decidability of the repeated control state reachability for 
VASS is the decidability of LTL model-checking, and more generally of model-checking 
against u;-regular specifications (it is well-known that LTL specifications can be effectively 
compiled into w-regular specifications, see [37J for some original results, or [36j for a survey). 
Let us informally describe this problem (see |14[ [5] for formal presentations). Its inputs are 
a S-labeled VASS^ V and an w-regular language L over E. By a E-labeled VASS Z , we mean 
a VASS Z V with transition set T, equipped with a labeling function £ : T — > X. The trace 
of an infinite run of V is the infinite word over £ obtained as the image under £ of the run. 
The question is whether all traces of V belong to L. 

For VASS, the standard technique to solve this problem is to build the product V x A 
of the VASS V with a Biichi automaton A recognizing L, synchronized on S. The problem 
then reduces to the repeated control state reachability in V x A, which is a VASS. This also 
works in our case, since the class of VASS 2 is closed under direct product with a finite-state 
automaton. We deduce the following statement. 

Theorem 7.3. Model- checking a labeled vector addition system with states and one zero-test 
against an oj-regular property (and in particular against an LTL specification) is decidable. 

8. Conclusion and perspectives 

Summary. Our main result is a forward algorithm, a la Karp and Miller, to compute the 
downward closure of the reachability set of a non-monotonic transition system: VAS 2 . The 
proof first goes by strengthening the decidability of the reachability set of a VAS: we show 
that the limit closure of this set is decidable. We have then introduced new sets, sitting 
between the cover and the reachability set. We have shown that the decidability of the limit 
closure of the reachability set entails the decidability of filtered covers for a usual VAS. This 
tool has then be used to perform accurate macro-steps in an adapted Karp-Miller algorithm 
for VAS Z . Finally, we have shown how to use this result to decide place boundedness for 
VAS 2 , as well as the repeated control state reachability problem, and LTL model-checking. 
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VAS vs. VAS 2 . Classical decidable problems for VAS are still decidable for VAS 2 : reacha- 
bility, coverability, boundedness, place boundedness, LTL model-checking, repeated control 
state state reachability. One may want to investigate which logical properties remain de- 
cidable for VAS 2 (see e.g. |5j for properties on VAS solvable using Karp-Miller trees). Note 
that VAS 2 cannot be simulated by VAS. For instance the prefix-closure of the language 
{a n b n | n 1}* can be recognized by a VAS Z , but not by a VAS |26j. 

Complexity and dependency to the reachability problem. Unfortunately, we cannot 
say anything about the complexity of the computation of the cover for VAS 2 , because our 
proof uses the decidability of the reachability problem for VAS as an oracle, whose complexity 
is still open. Observe that, more precisely, we have used the decidability of the reachability 
problem for VAS in Section UJ and this cannot be avoided to get Theorem 14.11 However, 
to decide the repeated control state reachability problem in Section we have also used a 
reduction to the decidability of the reachability problem, this time for VAS 2 . It is not clear 
whether one can avoid it: we leave it as an open problem. 

Future work. Our results cannot be trivially extended to the more general class of VAS with 
hierarchical zero-tests |33j . In fact, for this class, the coverability problem and the reachabil- 
ity problem are mutually reducible with immediate log-space reductions. The reachability 
problem was proved to be decidable by Reinhardt in |33| . Recently, the model of VAS with 
hierarchical zero-tests was proved to be equivalent to VAS with one stack encoding bounded- 
index context-free languages [3] . As future work, we are interested in the decidability of the 
reachability problem for VAS equipped with an unrestricted stack. With this class, it be- 
comes possible to model client-server systems where clients are dynamically created and 
destructed, identical finite-states machines, and the server is a recursive finite-state machine 
communicating by rendez-vous. The reachability problem for this class is open. For tackling 
this problem, we recently investigated a simplification of Reinhardt 's decidability proof of 
the reachability problem for VAS with hierarchical zero-tests |33j : for the subclass of VAS 2 , 
the first author published a simplified proof in [7] , based on the work of the third author |28j . 
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